區塊先生 🐡 ⚠️ (rock #58)|Apr 20, 2026 06:21
️ Vercel major security incident erupts! Coin developers, this wave of supply chain attacks deserves high vigilance! (2026/4/19)
Today, Vercel officially confirmed a security incident: a third-party AI tool used by an employee http://Context.ai Hacked, causing attackers to invade internal systems through Google Workspace OAuth. Although only a "limited subset" of customers were affected, hackers have obtained some environment variables (env variables) that were not marked as sensitive, including highly sensitive credentials such as NPM tokens and GitHub tokens!
More seriously, ShinyHunters (the group that caused the Ticketmaster leak) has sold Vercel's internal database on BreachForums for $2 million. Vercel has Next.js (downloaded up to 6 million times a week), and once malicious code is pushed up, the global supply chain is instantly vulnerable!
Vercel has urgently contacted the hacker, hired Mandiant to investigate, notified law enforcement agencies, and made public the IOC (OAuth App ID). They also recommend that all users:
-Immediately review Activity Logs
-Rotate all env variables (especially API keys, database certificates, signature keys)
-In the future, it is essential to label important secrets as' Sensitive '
-Check the recent deployment and delete it if you have any doubts
-Enable Deployment Protection (at least Standard level)
The focus of the cryptocurrency circle has arrived!
Nowadays, the Web3/coin circle no longer only needs to prevent smart contract vulnerabilities!
The real demon king lies in human error and third-party tool risks:
1. Human error: Developers string Google Workspace, AI proxy tools, and CI/CD permissions together for convenience, and all OAuth authorizations are lost.
2. Tools like Vercel: Next.js and Vercel have become the main deployment force for countless dApps and front-end projects. Once the supply chain is poisoned, wallet contracts Bridge、 Front end UI may all be implanted with backdoors.
This incident once again reminds us that Zero Trust is not a slogan, it is the law of survival.
-Don't mistake 'convenience' for safety anymore
-All secrets will always be treated as leaked
-Third party AI tools and OAuth apps must strictly review permissions
Immediate Action Checklist (Recommended to Copy to Team):
✅ Check Vercel, NPM, GitHub, and all API keys
✅ Enable sensitive env variables
✅ Review deployment records from the past 72 hours
✅ Consider migrating critical projects to self managed infrastructure or stricter permission controls
The scene of Vercel's DM hacker saying 'please stop' this time is really shocking... This is not a single event, but a wake-up call for the entire development ecosystem!
Share To
HotFlash
APP
X
Telegram
CopyLink